Latvia applies the General Data Protection Regulation (GDPR) directly and supplements it with national legislation that creates obligations beyond the baseline EU framework. Businesses operating in Latvia face active regulatory enforcement, mandatory data protection officer appointments in specific scenarios, and strict rules on cross-border data transfers. This article covers the legal framework, key compliance tools, enforcement mechanics, and practical risks for international operators - giving decision-makers a structured roadmap for managing data protection exposure in Latvia.
The primary instrument is Regulation (EU) 2016/679 (GDPR), which applies directly across Latvia without transposition. Latvia supplements it with the Personal Data Processing Law (Fizisko personu datu apstrādes likums), which entered into force in 2018 and was subsequently amended to address national derogations permitted under GDPR Articles 6(2), 9(4), and 23. The law designates the Data State Inspectorate (Datu valsts inspekcija, DVI) as the national supervisory authority and defines its investigative and corrective powers.
The Personal Data Processing Law fills several gaps left open by the GDPR. It sets the minimum age for valid consent to digital services at 13 years, below the GDPR default of 16 but within the permitted range under Article 8(1). It also specifies conditions for processing personal data in employment contexts, including rules on monitoring employees, handling health data, and retaining personnel records. Employers operating in Latvia must align their HR data practices with both the GDPR and these national provisions simultaneously.
Latvia's Criminal Law (Krimināllikums) contains provisions on unlawful disclosure of personal data and computer-related offences that can apply alongside administrative GDPR sanctions. This dual exposure - administrative fines from the DVI and potential criminal liability - is a non-obvious risk that many international businesses underestimate when assessing their Latvia-specific compliance burden.
The Electronic Communications Law (Elektronisko sakaru likums) implements Directive 2002/58/EC (the ePrivacy Directive) and governs cookies, electronic direct marketing, and traffic data retention. Businesses running websites or apps targeting Latvian users must comply with both the GDPR and the Electronic Communications Law simultaneously, as the two instruments address overlapping but distinct obligations.
Every controller or processor active in Latvia must maintain a Record of Processing Activities (RPA) under GDPR Article 30. The DVI has consistently treated an absent or incomplete RPA as an aggravating factor in enforcement proceedings. The RPA must document processing purposes, categories of data subjects, retention periods, and technical and organisational security measures. For businesses with more than 250 employees, or those processing sensitive data or data likely to result in high risk, the RPA obligation is unconditional.
Data Protection Impact Assessments (DPIAs) are mandatory under GDPR Article 35 when processing is likely to result in high risk. The DVI has published a list of processing types that automatically trigger a DPIA in Latvia. These include large-scale processing of special category data, systematic monitoring of publicly accessible areas, and profiling that produces legal or similarly significant effects. Conducting a DPIA after the processing has started - rather than before - is a common mistake that exposes controllers to enforcement action even where the underlying processing is lawful.
The appointment of a Data Protection Officer (DPO) is required under GDPR Article 37 for public authorities, organisations conducting large-scale systematic monitoring, and those processing special category data at scale. In Latvia, the DVI expects DPOs to be genuinely independent and operationally effective. Appointing a DPO in name only, without adequate resources or authority, has been treated as a compliance failure in DVI investigations. The DPO must be registered with the DVI, and the registration details must be publicly accessible.
Consent under GDPR Article 7 must be freely given, specific, informed, and unambiguous. In Latvia, the DVI scrutinises consent mechanisms closely, particularly in digital environments. Pre-ticked boxes, bundled consent, and consent obtained as a condition of service access are all non-compliant. A common mistake by international businesses entering the Latvian market is importing consent forms designed for other jurisdictions without adapting them to the DVI's published guidance on valid consent architecture.
To receive a checklist on GDPR compliance obligations for businesses entering Latvia, send a request to info@vlo.com.
A personal data breach is defined under GDPR Article 4(12) as a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In Latvia, the controller must notify the DVI within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The 72-hour clock starts from the moment the controller has sufficient information to confirm that a breach has occurred - not from the moment of discovery of a potential incident.
Where notification to the DVI cannot be made within 72 hours, the controller must provide a reasoned explanation for the delay alongside the notification. The DVI accepts phased notifications: an initial report within 72 hours followed by a supplementary report once the full scope of the breach is known. Failing to notify at all, or notifying significantly late without justification, is treated as a separate infringement from the breach itself and can result in cumulative sanctions.
Where a breach is likely to result in a high risk to individuals, the controller must also notify affected data subjects directly under GDPR Article 34. The notification must describe the nature of the breach, the likely consequences, and the measures taken or proposed. In Latvia, the DVI has the power to order the controller to notify data subjects if the controller has failed to do so. Processors must notify their controller clients without undue delay upon becoming aware of a breach - a contractual obligation that must be reflected in Data Processing Agreements (DPAs) under GDPR Article 28.
In practice, it is important to consider that the DVI evaluates not only whether notification was made on time, but also whether the controller had adequate incident response procedures in place before the breach occurred. Businesses that cannot demonstrate a documented incident response plan face higher administrative fines even where the breach itself was minor. The cost of establishing a proper incident response framework is modest relative to the cost of defending an enforcement action.
Transferring personal data from Latvia to countries outside the European Economic Area (EEA) requires a legal transfer mechanism under GDPR Chapter V. The available mechanisms include adequacy decisions adopted by the European Commission, Standard Contractual Clauses (SCCs) approved by the Commission, Binding Corporate Rules (BCRs), and derogations under GDPR Article 49 for specific situations. Latvia does not maintain a separate national list of adequate countries - the EU-level adequacy decisions apply directly.
Standard Contractual Clauses are the most commonly used mechanism for transfers from Latvia to third countries. The Commission adopted updated SCCs in 2021, replacing the earlier sets. Controllers and processors in Latvia must use the 2021 SCCs for new contracts and must have updated legacy contracts. A non-obvious risk is that SCCs alone are not always sufficient: following the Court of Justice of the EU's Schrems II judgment, controllers must conduct a Transfer Impact Assessment (TIA) to verify that the legal framework of the destination country does not undermine the protections offered by the SCCs. The DVI can request TIA documentation during an investigation.
Binding Corporate Rules are available for intra-group transfers and require approval by the lead supervisory authority. For Latvian entities that are part of multinational groups, BCRs offer a more streamlined long-term solution than maintaining SCCs for every intra-group data flow. However, the BCR approval process is lengthy - typically taking 12 to 24 months - and requires significant internal governance investment.
The derogations under GDPR Article 49 - including transfers necessary for the performance of a contract with the data subject, or based on explicit consent - are available in Latvia but must be used sparingly. The DVI follows the European Data Protection Board's guidance that Article 49 derogations are not a substitute for a proper transfer mechanism and should not be used for systematic or repetitive transfers.
Three practical scenarios illustrate the transfer risk landscape. A Latvian e-commerce business using a US-based cloud provider must have SCCs in place and a TIA on file. A multinational group routing HR data from its Latvian subsidiary to a parent company in a non-EEA country must rely on BCRs or SCCs with a TIA. A Latvian fintech sharing customer data with a payment processor in a country without an adequacy decision must document its transfer mechanism and be prepared to demonstrate compliance to the DVI on request.
To receive a checklist on cross-border data transfer compliance for Latvia-based operations, send a request to info@vlo.com.
The Data State Inspectorate (Datu valsts inspekcija) is Latvia's national supervisory authority under GDPR Article 51. The DVI has the power to conduct investigations on its own initiative or in response to complaints, issue warnings and reprimands, impose temporary or permanent bans on processing, and impose administrative fines. The DVI also cooperates with supervisory authorities in other EU member states through the consistency mechanism and the one-stop-shop procedure for cross-border processing.
Administrative fines under the GDPR are tiered. Less serious infringements - such as failures related to DPO appointment, record-keeping, or breach notification - attract fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. More serious infringements - including unlawful processing, violations of data subjects' rights, and unlawful transfers - attract fines of up to EUR 20 million or 4% of total worldwide annual turnover. The DVI applies the criteria in GDPR Article 83(2) when calculating fines, including the nature, gravity, and duration of the infringement, the degree of cooperation, and any previous infringements.
In practice, the DVI has demonstrated willingness to investigate complaints from individuals, including employees and customers of businesses operating in Latvia. Complaints related to unlawful employee monitoring, non-compliant cookie banners, and refusal to honour data subject access requests have all generated DVI investigations. The risk of inaction is concrete: a complaint filed with the DVI can trigger a full investigation within weeks, and the DVI has the power to request extensive documentation from the controller within a short response window.
A common mistake by international businesses is treating Latvia as a low-enforcement jurisdiction because it is smaller than Germany or France. The DVI is an active regulator with a track record of imposing meaningful sanctions. Businesses that have invested in GDPR compliance for their operations in larger EU markets but have not adapted their programmes to Latvia's national derogations and DVI expectations face a specific and underappreciated compliance gap.
The cost of non-specialist mistakes in Latvia is measurable. A business that fails to appoint a DPO when required, fails to maintain an RPA, and fails to notify a breach on time faces potential cumulative fines across three separate infringement categories. Legal fees for defending a DVI investigation typically start from the low thousands of EUR for straightforward matters and increase significantly for complex multi-issue investigations. Proactive compliance investment is substantially cheaper than reactive defence.
GDPR Chapter III grants data subjects a comprehensive set of rights: the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), and the right to object (Article 21). In Latvia, these rights are directly enforceable against controllers, and data subjects can complain to the DVI if a controller fails to respond adequately.
Controllers must respond to access requests within one month of receipt. The period can be extended by a further two months for complex or numerous requests, but the controller must notify the data subject of the extension within the initial one-month period. Failure to respond at all, or responding outside the deadline without justification, is a standalone infringement that the DVI treats seriously. Many businesses underappreciate the operational burden of handling access requests at scale and fail to build adequate internal processes before they receive their first request.
The right to erasure - often called the right to be forgotten - applies in Latvia subject to the conditions in GDPR Article 17. Controllers can refuse erasure where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for reasons of public interest. In employment contexts, the Personal Data Processing Law specifies minimum retention periods for certain HR records that override an employee's erasure request. Controllers must be able to articulate the legal basis for refusing erasure clearly and in writing.
Data portability under GDPR Article 20 applies only where processing is based on consent or contract and is carried out by automated means. In Latvia, fintech and digital service businesses face the most frequent portability requests. The data must be provided in a structured, commonly used, and machine-readable format. Controllers that store data in proprietary formats without a portability solution in place face both a compliance gap and a reputational risk when a portability request arrives.
Three scenarios illustrate the practical stakes. An employee of a Latvian company requests access to all personal data held about them, including performance reviews and monitoring logs - the controller has one month to respond and must provide all data unless a specific exemption applies. A customer of a Latvian e-commerce business requests erasure of their account data - the controller must erase unless a legal retention obligation applies and must document its reasoning. A user of a Latvian fintech app requests portability of their transaction history - the controller must provide the data in a machine-readable format within one month.
We can help build a strategy for managing data subject rights requests in Latvia. Contact info@vlo.com to discuss your specific situation.
What is the most significant practical risk for a foreign business entering the Latvian market without a dedicated data protection programme?
The most significant risk is operating without a lawful basis for each processing activity and without an adequate Record of Processing Activities. The DVI can initiate an investigation based on a single complaint from a customer or employee, and an absent RPA immediately signals systemic non-compliance. Controllers without documented processing records face difficulty defending any aspect of their programme during an investigation. The combination of missing documentation, absent DPO appointment where required, and non-compliant consent mechanisms creates cumulative exposure across multiple infringement categories simultaneously.
How long does a DVI investigation typically take, and what are the financial consequences of an adverse outcome?
A DVI investigation can take anywhere from several months to over a year depending on complexity and the controller's level of cooperation. The DVI may issue interim orders - including temporary processing bans - before the investigation concludes. Financial consequences range from formal warnings with no monetary penalty for minor first-time infringements to fines reaching the statutory maximum for serious or repeated violations. Legal costs for defending an investigation add to the financial burden. Businesses that cooperate fully, provide complete documentation promptly, and demonstrate remediation measures generally receive more favourable outcomes than those that are unresponsive or obstructive.
When should a business in Latvia consider appointing an external DPO rather than an internal one?
An external DPO is worth considering when the organisation lacks internal expertise in data protection law, when the internal candidate has a conflict of interest due to their other responsibilities, or when the volume of data protection work does not justify a full-time internal hire. External DPOs can serve multiple organisations simultaneously under GDPR Article 37(3), which makes them cost-effective for small and medium-sized businesses. The key requirement is that the DPO - whether internal or external - must have expert knowledge of data protection law, must be genuinely independent, and must have sufficient resources to perform their tasks. The DVI evaluates DPO effectiveness in practice, not merely on paper.
Data protection compliance in Latvia requires engagement with both the GDPR and Latvia's national implementing legislation. The DVI is an active regulator, and the combination of administrative fines, potential criminal liability, and reputational damage from enforcement action creates a concrete business risk. Proactive investment in a documented compliance programme - covering lawful bases, DPO appointment, breach response, transfer mechanisms, and data subject rights processes - is the most cost-effective approach for businesses operating in or entering the Latvian market.
To receive a checklist on building a complete data protection compliance programme for Latvia, send a request to info@vlo.com.
Our law firm Vetrov & Partners has experience supporting clients in Latvia on data protection and privacy matters. We can assist with GDPR compliance assessments, DPO services, data breach response, cross-border transfer structuring, DVI investigation defence, and data subject rights programme design. To receive a consultation, contact: info@vlo.com.